IoT Protocols And Security

Mrs. K.M. Sanghavi

 IoT Standardization Efforts
• The IoT- A (Internet of Things architecture) is
targeting a holistic(universal) architecture for
all IoT sectors.
• 17 European organizations from nine countries
are a part of IoT- A.
• They summarize the current status of IoT
standardization as :
 Current IoT Standardization acc to
IoT-A
Fragmented architectures

No universal approach to implement IoT has yet been

proposed

Many island solutions do exist (RFID, sensor nets, etc.)

Little cross-sector reuse of technology and exchange of

knowledge
 Current IoT Standardization is a
problem , SO

What could be Done to Solve this???

 Proposed Solution By IoT-A for
Standardization
Create Architectural foundation for IoT, that will be operable
with future Internet

Use Existing technologies instead of creating new ones.

Demonstrating the applicability of IoT in a set of use cases

Establish a strong stakeholder group to remove the barriers

and accept IoT on wide scale

Combine various IoT technologies into a single entity.

 Groups doing IoT Standardization

Work Package Framework (WPF)

International Telecommunication Union

Telecommunication Standardization Sector(ITU-T)

Internet Protocol for Smart Objects (IPSO)

• Aim to form an open group of companies to market and

educate about how to use IP for IoT smart objects based on an
all- IP holistic approach
 Work Package Framework
• The WPF divides the implementation standards of IoT
into hierarchical groups of tasks as shown in the
below
 International Telecommunication Union
Telecommunication Standardization Sector
• The ITU-T mission is to ensure the efficient
and timely production of standards
covering all fields of telecommunications on
a worldwide basis, as well as defining tariff
and accounting principles for international
telecommunication services
• The technical work, the development of
Recommendations, of ITU-T is managed by
Study Groups (SGs).
• There are currently 11 SGs.
 International Telecommunication Union
Telecommunication Standardization Sector
 Internet Protocol for Smart Objects
• The IPSO Alliance is an open, informal and
thought-leading association of like-minded
organizations and individuals that promote the
value of using the Internet Protocol for the
networking of Smart Objects.
• IP Stack can easily run on tiny, battery operated
embedded devices as it is long-lived and stable
technology.
• The role of the alliance is to ensure how IPv4,
IPv6, and 6LoWPAN are used, deployed and
provided to all potential users.
 Internet Protocol for Smart Objects
• Mobile IP is an approach by IETF (Internet
Engineering Task Force) which manages the
movement of mobile devices over IPV4 and IPV6
 M2M Standardization Efforts

M2M Standardization Task Force (MSTF) coordinate

the efforts of individual standards development
organizations (SDO)for M2M Applications

These define a conceptual framework for M2M

applications and specify a service layer that will enable
application developers to create applications that
operate transparently across different vertical domains
 M2M Standardization Efforts

M2M standards activities include the

following
• Use JSON as Data Transport Format
• Resolve IP addressing issues for devices IPV6
• Use Open REST- based API for M2M applications
• Remote management of devices behind a gateway
or firewall be done
• Fix the charging standars
 WSN Standardization Efforts

There are number of standardization

bodies in the field of WSNs

The IEEE focuses on the physical and

MAC layers

IETF works on layers 3 and above.

 WSN Standardization Efforts
IEEE 1451 is a set of smart transducer interface standards developed
by the IEEE Instrumentation and Measurement Society’s Sensor
Technology Technical Committee that describe a set of open,
common, network- independent communication interfaces for
connecting sensors or actuators) to microprocessors, instrumentation
systems, and control/field networks

The goal of the IEEE 1451 family of standards is to allow the

access of transducer data through a common set of interfaces
whether the transducers are connected to systems or networks
via a wired or wireless means
 WSN Standardization Efforts …IEEE
1451 Activities
1451.0-2007 Common Functions, Communication
Protocols

1451.1-1999 Network Capable Application Processor

Information Model

1451.2-1997 Transducer to Microprocessor

Communication Protocols

1451.3-2003 Digital Communication Formats for

Distributed Multi- drop Systems
 WSN Standardization Efforts …IEEE
1451 Activities

1451.4-2004 Mixed- mode Communication Protocols

1451.5-2007 Wireless Communication Protocols

1451.7-2010 Transducers to Radio Frequency Identification

(RFID) Systems Communication Protocols
 SCADA Standardization Efforts

IEEE created a standard specification, called Std

C37.1™, for SCADA and automation systems

The processing is now distributed, and functions

that used to be done at the control center can
now be done by the intelligent electronic
devices (IED) that is, M2M between devices
 SCADA Standardization Efforts

The ISA100 was developed by the

standards committee of the Industrial
Society for Automation formed to
define procedures for implementing
wireless systems in the automation
and control environment with a focus
on the field level
 SCADA Standardization Efforts

OPC, which stands for Object Linking and Embedding (OLE)

for Process Control standard specification developed by an
industrial automation industry task force (IAITF)

The standard specifies the communication of real- time

plant data between control devices from different
manufacturers

OPC was designed to provide a common bridge for

Windows- based software applications and process control
hardware
 RFID Standardization Efforts

The RFID protocols and data formats are relatively well defined,
mostly by EPCglobal (Electronic Product Code)

The standard for contactless smart card communications is ISO/

IEC 14443 allows for communications at distances up to 10 cm.

ISO/ IEC 15693, which allows communications at distances up to

50 cm

International Organization for Standardization (ISO) and the

International Electrotechnical Commission (IEC).
 Summary

IoT-A • WPF, ITU-T,IPSO

M2M • MSTF

• IEEE which developed

WSN IEEE1451 , IETF
• IEEE developed C37.1 , ISA ,
SCADA IAITF developed OPC
• EPCGlobal developed ISO/IEC
RFID 14443 and ISO/IEC 15693
 Issues of IoT Standardization

Standardization is like a
double- edged sword: critical
to market development, but it
may threaten innovation and
inhibit change when standards
are accepted by the market.
 Issues of IoT Standardization

• Different consortia, forums, and alliances have

been doing standardization
• Even within the same segment, there are
more than one consortium or forum doing
standardization
• ICT standardization is a highly decentralized
activity.
 Unified Data Standards in IoT for data
Exchange
• Use XML representation for data
exchange/transfer
• Resource Description framework (RDF) can be
used for modeling the information that is
deployed as web resource
• Use REST API
• ebXML can be used for e-commerce solutions
• IEEE 1451
IoT Protocols

IEEE 802.15.4

BacNet

ModBus

KNX

Zigbee
 Wireless

Wireless communication standards:

• IEEE 802.11 a/b/g
• Bluetooth
• GSM
What makes them unattractive for WSN:
• Power hungry (need big batteries)
• Complexity (need lots of clock cycles and memory)
New protocol for WSN:
• 802.15.4
• Zigbee
802.15.4
 802.15.4

• IEEE 802.15.4 task group began to develop a

standard for LR-WPAN.
• The goal of this group was to provide a
standard with ultra-low complexity, cost, and
power for low-data-rate wireless connectivity
among inexpensive fixed,portable, and
moving devices.
802.15.4
 Approaches for Low Power
In order to achieve the low power and low cost goals
established by IEEE 802.15.4 the following approaches
are taken
• Reduce the amount of data transmitted
• Reduce the transceiver duty cycle and frequency of
data transmissions
• Reduce the frame overhead
• Reduce complexity
• Reduce range
• Implement strict power management mechanisms
(power-down and sleep
 IEEE 802.15.4
• IEEE 802.15.4 deals with only PHY layer and
portion of Data link layer.
• The higher-layer protocols are left to industry
and the individual applications.
• The Zigbee Alliance is an association of
companies involved with building higher-layer
standards based on IEEE 802.15.4. This
includes network, security, and application
protocols.
 IEEE 802.15.4

IEEE 802.15.4 draft standard supports multiple

network topologies including star and peer to peer
topology.
IEEE 802.15.4
 IEEE 802.15.4
• IEEE 802 splits DLL into MAC and LLC sublayers.
• LLC is standardized and is common in
802.3,802.11,802.15.1.
• Features of the IEEE 802.15.4 MAC are
– Association and disassociation
– acknowledged frame delivery
– Channel access mechanism
– Frame validation
– Guaranteed time slot management
– Beacon management.
 IEEE 802.15.4 …MAC

• MAC provides data and management services

to upper layers
• 802.15.4 MAC is of very low complexity,
making it very suitable for its intended low-
end applications, albeit at the cost of a smaller
feature set than 802.15.1 (e.g., 802.15.4 does
not support synchronous voice links).
IEEE 802.15.4 …MAC
 IEEE 802.15.4 …MAC
• Frame control field indicates the type of MAC
frame being transmitted, specifies the format of
the address field, and controls the
acknowledgment.
• Multiple address types : 64 bit physical address
and short 8 bit network assigned address are
provided.
• Address field size may vary from 0 to 20 bytes.
• Payload field is variable with condition size of
mac frame <= 127 bytes.
• FCS is used for integrity check using 16 bit CRC.
 IEEE 802.15.4 …PHY
• This standard provides 2 PHY options with
frequency band as fundamental difference.
• 2.4 GHz band has worldwide availability and
provides a transmission rate of 250 kb/s.
• The 868/915 MHz PHY specifies operation in the
868 MHz band in Europe and 915 MHz ISM band
in the United States and offer data rates 20 kb/s
and 40 kb/s respectively.
• Different transmission rates can be exploited to
achieve a variety of different goals.
IEEE 802.15.4 …Channel Structure
IEEE 802.15.4 …Modulation
 ModBus

• Modbus is a serial communications protocol

originally published by Modicon (now
Schneider Electric)
• Used to establish master-slave/client-server
communication between intelligent devices
• Openly published and royalty-free
• Modbus enables communication between
many (approximately 247) devices connected
to the same network
 ModBus
• MODBUS devices communicate using a master-
slave technique in which only one device (the
master) can initiate transactions (called queries).
• The other devices (slaves) respond by supplying
the requested data to the master
• A slave is any peripheral device (I/O transducer,
valve, network or other measuring device),
which processes information and sends its output
to the master .
• Masters can address individual slaves, or can
initiate a broadcast message to all slaves.
ModBus
ModBus
 ModBus

• MODBUS Frames :
– ADU …Application Data Unit
– PDU …. Protocol Data Unit
 ModBus

• MODBUS Frames :
– ADU …Application Data Unit
– PDU …. Protocol Data Unit

• The PDU frames : function Code+ data.

• The ADU frames : Add+FC+data+Error check .
• The FC -> action to perform and the data ->
information to be used for this action.
 ModBus Data TYpes

• Modbus transactions always perform a set of

actions by reading or writing to a set of four
data ,used by the Modbus application layer.
 ModBus Accessing Data

• 16-bit Unsigned Registers And Single-bit Coils

– Input Registers And Holding Registers
– Input Coils And Status Coils
• 64 kb of space is allocated for registers and
coils
 ModBus Transmisssion modes
• ASCII …Uses Longitude Redundancy Check
• Remote Terminal Unit …Uses Cyclic Redundancy
Check

– In Modbus RTU, bytes are sent consecutively with a 3-

1/2 character space between messages for a delimiter.
This allows the software to know when a new
message is starting.
• Any delay between bytes will cause Modbus RTU to interpret
it as the start of a new message.
– Modbus ASCII marks the start of each message with a
colon character " : " (hex 3A).
• The end of each message is terminated with the carriage
return and line feed characters (hex 0D and 0A)
ModBus Transmisssion modes
ModBus Transmisssion modes
BACNet Protocol
 BACNet
• Building Automation and Control Networks developed
by American Society of heating, Refrigerating and Air-
Conditioning Engineers( ASHRAE)
• It is a data communication protocol designed for
communication between building automated system
components
• This is an Object Oriented protocol
• Objects : Physical device, temperature input( analog
input) , A relay control(binary output), schedules
• Services : Used to perform read, write and I/O
 BACNet
• BacNet Objects are evaluated and controlled
by their properties
• Property Name, Value
Object Name “Lighting Area”
Object Type BINARY_OUTPUT
Present Value Active
Status_Flags Normal, In-Service
Out_Of_Service False
Inactive_Text “Off”
Active_Text “On”
 BACNet Services
• BacNet Services are formal requests that one BACNet
device sends to another to ask it to do something
• Categories :
– Object Access (Read, Write, Create, Delete)
– Alarm and Event (Alarms and Changes of State)
– File Access (Trend data, Data transfer)
– Remote Device Management (Discover, Time
Synchronization, Backup and Restore Database,
Initialization)
– Virtual Terminal (HMI via menus)
– Who Is, I Am , Who-Has, I-Have
• These follow a Client-Server model
BACNet Protocol Stack
BACNet Network Types i.e Physical and
Data Link Layer
BACNet IP
• Used with existing ethernet, WAN

BACNet MS/TP
• Uses Twisted Pair EIA -485 upto 4000 feet

BACNet ISO 8802-3

• Limited to Single Infrastructure without IP routers

BACNet P2P
• Used only for dial-up telephone networks
KNx Protocol
 KNX
• Abbreviation for KONNEX evolved from EHS
(European Home Systems Protocol), EIB
(European Installation Bus), BatiBUS
• Used for Building Automation
• Operates on more than one physical layer e.g
twisted pair wiring, Ethernet, infrared
• Every Unit hooked up to the KNX system is smart
enough and does not rely on other parts to
function
• KNX devices are sensors, actuators, system
devices.
 KNX
• KNX Devices have 3 modes :
– A-mode(automatic)….Configure themselves
– E-mode (easy)…Require training to install
– S-mode(system mode)….must be programmed by
specialists.
• KNX network can be formed with tree, line
and star topologies
• This can Link upto 57,375 devices
 KNX
• For Routing of messages KNX uses telegrams

Control Source Dest Routing Length Data Parity 8

8 Bits Address Address Counter 3 3 Bit Upto 16 Bits
16 Bits 17 bits Bits bytes
 KNX Telegram
Control – Decides Priority • High, Low, Alarm, System
or For Acknowledgment • ACK,NAK, BUSY

Source Address • 4 bits- Area ID, 4 Bits- Line ID, 4 Bits- Device ID

• Can be Physical or Logical – 17th Bit indicates PHY - 0 or

Dest Addr LOG-1

Routing Counter • Defines Hop Count …Limited to 6 Hops

Parity • Used to Secure the Telegram

 KNX
• Used for control of building management
– Lighting
– Blinds/Shutters
– HVAC
– Metering
– Remote Control
– Refrigerators, Washers, Dryers
– Security Systems
 KNX
• Advantages
– Platform Independent
– Low energy consumption
– Open Standard
ZigBee Protocol
 ZigBee Technology
• Built on IEEE 802.15.4 standard for Wide Personal
Area Network(WPAN)
• This defines PHY and MAC layers to handle many
devices at low-data rates.
• These operate at 868 MHz(Europe with 20Kbps),
902-928 MHz(US with 40 Kbps) and 2.4
GHz(Entire world with 250 Kbps)
• Low-cost and low-powered mesh network, which
covers range of 10-100m.
• These can be extended with the help of routers
 ZigBee Architecture
• This consists of Three Devices in the n/w layer
– Zigbee coordinator
– Router
– End Device
• Zigbee coordinator - Every Network in Zigbee must
have a coordinator(root) that handles and stores the
information and also transmit and receive data
operations.
• Router – These are intermediary devices that permit
data to pass to and fro through them to other devices.
• End Devices – Have limited functionality to
communicate with parent nodes
ZigBee Architecture
 ZigBee Architecture
• This consists of various layers out of which PHY and
MAC Layer are defined by 802.15.4
• Zigbee has own Network Layer and Application
Layer.
– Physical Layer – Does modulation, demodulation
– MAC Layer – responsible for reliable transmission of
data with CSMA/CA
– Network – Routing, Network configurations,
connections and disconnection management
– Application support sub-layer : Interfaces with data
managing services
– Application framework : Provides two types of
messaging service General messaging(GMS), Key-value
pair(K_V pair).
 ZigBee OPERATING Modes
• Non- Beacon
– The coordinators and routers continuously
monitor active state of incoming data hence
more power is consumed.
• Beacon
– When there is no data communication from end
devices, the routers and coordinators eneter
into sleep state.
– The coordinator wakes up periodically and
transmits the beacons to routers
 ZigBee Topologies
• Star…Here there is one coordinator
responsible for initiating and managing
devices.
• Mesh…. Several routers are connected
• Cluster- Tree
 ZigBee N/W Frame Format

Octets 2 2 1 1 Variable
:2
Frame Dest Sourc Radiu Seq Frame Payload
Contro Addr e s No
l Addr
Routing Fields

Network Header Network Payload

 ZigBee N/W Frame
• Frame Control – Define various parameters like
:
– Communication type – Unicast/MutiCast/Broadcast
– Security – Enabled/Disabled
– Route discovery – Enabled/Disabled
– Source / Destination Addr Specified or not
• Addr : 64-bit / 16-bit
• Radius – defines maximum number of hops
allowed for packet
• Seq. No – Packet Counter
 ZigBee APS Frame Format

Octets 0/1 0/1 0/2 0/1 Variable

:1
Frame Dest Clust Profil Sourc Frame Payload
Contro EndP er e e
l oint Identi Identi endp
fier fier oint
Addressing Fields

APS Header Network Payload

 ZigBee APS Frame
• Frame Control – Define various parameters like :
– Frame type- Data/Command/ACK
– Security – Enabled/Disabled
– Delivery mode – Unicast/Broadcast/Multicast
– Source / Destination Addr Specified or not
• Addr : 8-bit source / dest addr
• Cluster Identifier – Used to identify the cluster that
is used in binding operation of zigbee coordinator.
This is present for data frames but not for command
frames.
• Profile Identifier – Specifies the profile for which
frame is intended. Used only for Data and ACK
frame.
 ZigBee Applications
• Home Automation
• Smart Metering
• Smart Grid Monitoring
• Industrial Automation
 IoT Device Life Cycle
Boot Up
• Device is loading the firmware and starts to
work as defined

Initialization
• Establish connection, Sync Data, Read
configuration

Operation
• Device performs its designed task continuously

Update
• New Firmware arrives, device reboots, and
loads new frimware
 IoT Device Life Cycle ….BootUp

• Firmware integrity check: To ensure that firmware has not

been modifed or tampered by others, the best method is to
implement an integrity check by embedded checksum or
secure password.
• Secure boot: Encrypt firmware with PKI or public/private
certification to secure the whole boot-up process.
IoT Device Life Cycle ….Initialization
• AAA protection
• Use proper encryption to avoid user/device hijack.
• Default account credentials appear in many IoT devices. It’s
best to have an activation process which requires end-user
to change default password.
• Key/Certification protection:
• Use a KMS (Key Management System) or CMS (Certification
Management System) to protect encryption/decryption
keys, or store those keys in a TPM (Trusted Platform Module).
IoT Device Life Cycle ….Initialization
• Communication protection: The communication between
device and device, device and the Internet, or device and user
interface (through mobile apps or web apps) should be
encrypted (HTTPs, AES 128, 256, and others).
• Identity protection: To prevent a fake identity within the
communication group, it is necessary to make sure the
communicated object is certified. A KMS or CMS can also play
an important role here.
 IoT Device Life Cycle ….Operation
• AAA protection
• Remove all backdoor debug user accounts. From several
studies, we have found out that many IoT devices keep
those accounts for debugging purposes in the system and
that increases the chances of penetration.
• During the operation stage, the IoT device may still
associate with new devices, users, and clouds, for example;
add new monitor sensors for a connected home, or
creating additional user account for home member, so
account protection is still needed in this stage.
 IoT Device Life Cycle ….Operation
•Monitoring:
• The device should implement knowledge to detect
abnormal operations and, if such operations occur,
provide a warning to the backend or end user.
• Integrity check: Run-time integrity checks can prevent the
device from being compromised during operation.
Leveraging cloud technology to have two-way integrity
checks will be the most effective way.
 IoT Device Life Cycle ….Operation
• Risk management: Use a method like virtual patching or a
host IPS to reduce risk before Firmware Over-the-Air (FOTA)
triggers
 IoT Device Life Cycle ….Updation
•Secure FOTA (Firmware Over-the-Air):
Before the FOTA trigger, the new firmware needs to be
encrypted and checked to make sure the next lifecycle will
be performing a secure boot up again.
 Attacks

Active Passive

Attacker tries Attacker just

to manipulate monitors data
data flow
 Problems of IoT Security

• Initial design was for private communication

network then moved to IP network and later on
the Internet
• Firmware updates are hard or nearly impossible
after installations
• Started with basic security then found the security
flaws and attached more complex security
requirements later
• Low security devices from early design are still
out there and used in compatible fall-back mode
 Problems of IoT Security

• Fake Control Server

• Attack on Device Ports
• Attack on Server Ports
• Steal Credential
• Inject Bad Configuration
• Sniff Data on Private Network
 IoT Vulnerabilities
• I1 Insecure Web Interface
• I2 Insufficient Authentication/Authorization
• I3 Insecure Network Services
• I4 Lack of Transport Encryption/Integrity Verification
• I5 Privacy Concerns
• I6 Insecure Cloud Interface
• I7 Insecure Mobile Interface
WANT PC MS
• I8 Insufficient Security Configurability
• I9 Insecure Software/Firmware
• I10 Poor Physical Security
IoT Vulnerabilities
IoT Vulnerabilities in IoT
IoT Vulnerabilities in IoT
IoT Vulnerabilities in IoT
IoT Vulnerabilities in IoT
IoT Vulnerabilities in IoT
IoT Vulnerabilities in IoT
IoT Vulnerabilities in IoT
IoT Vulnerabilities in IoT
IoT Vulnerabilities in IoT
IoT Vulnerabilities in IoT
 Security Challenges in IoT

• Wireless communication
• Physical insecurity
• Constrained devices Potentially sensitive data
• Lack of standards
• Heterogeneity: weakest link problem
• A systems, not software problem
• Classic web / internet threats
• Identity management & dynamism
• Inconvenience and cost
Attacks in Different Layers of IoT

Transport Network MAC

Routing Loop Spoofing
Send Wrong
Data
WormHole
Attack Man In the
Network Middle
Partitioning
Incorrect
Control Packets Eaves Dropping
Denial of Service
 How to Secure IoT Devices
Download
…https:/www.youtube.com/watch?v=2Z
c2PDXtjsI

1. Secure Boot
2. Authentication
3. Protected Ports ..Physical Security
4. Secure Storage
5. Secure Connections
 Key Elements in IoT Security
Identity Establishment
• Use Public Key Cryptography

Access Control
• Define boundary of data access for devices…Data Access is done by Authentication

Data and Message Security

• Use Data Encryption Standards

Non-Repudiation and Availability

• Rejecting the fact that one entity has sent or received the message, and make all
resources available and updated
Security Model
• Represent Security Features to be followed by an IoT Application
 Security Model for IoT

Security ..Authentication,
Confidentiality, Integrity, Availability

Trust …Repudiation

Privacy..Users Privacy, Laws, Ethics of

communication